|
[Japanese]
|
JVNDB-2023-000051
|
Multiple vulnerabilities in T&D and ESPEC MIC data logger products
|
|
Multiple data logger products provided by T&D Corporation and ESPEC MIC CORP. contain multiple vulnerabilities listed below.
* Client-side enforcement of server-side security (CWE-602) - CVE-2023-22654
* Improper authentication (CWE-287) - CVE-2023-27388
* Missing authentication for critical function (CWE-306) - CVE-2023-23545
* Cross-site request forgery (CWE-352) - CVE-2023-27387
CVE-2023-22654
Takaya Noma, Tomoya Inazawa, Yudai Morii, Junnosuke Kushibiki, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-27388
Tomoya Inazawa, Takaya Noma, Yudai Morii, Junnosuke Kushibiki, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-23545
Yudai Morii, Takaya Noma, Tomoya Inazawa, Junnosuke Kushibiki, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-27387
Junnosuke Kushibiki, Takaya Noma, Tomoya Inazawa, Yudai Morii, Takayuki Sasaki and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2023-27388
|
CVSS V3 Severity:
Base Metrics
4.2 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: High
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
2.1 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: Single
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-22654
|
CVSS V3 Severity:
Base Metrics
5.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: None
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
5.0 (Medium)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: Low
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-23545
|
CVSS V3 Severity:
Base Metrics
4.3 (Medium) [IPA Score]
-
Attack Vector: Network
-
Attack Complexity: Low
-
Privileges Required: None
-
User Interaction: Required
-
Scope: Unchanged
-
Confidentiality Impact: None
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
2.6 (Low)
[IPA Score]
-
Access Vector: Network
-
Access Complexity: High
-
Authentication: None
-
Confidentiality Impact: None
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-27387
|
|
|
ESPEC MIC Corp.
- RS-12N all firmware versions
- RT-12N all firmware versions
- RT-22BN all firmware versions
- TEU-12N all firmware versions
T&D Corporation
- RTR-5W all firmware versions
- TR-71W all firmware versions
- TR-72W all firmware versions
- WDR-3 all firmware versions
- WDR-7 all firmware versions
- WS-2 all firmware versions
|
|
|
* An arbitrary script may be executed on a logged-in user's web browser - CVE-2023-22654
* An attacker who can access the product may login to the product as a registered user - CVE-2023-27388
* An attacker who can access the product may alter the product settings without authentication - CVE-2023-23545
* If a user views a malicious page while logged in, unintended operations may be performed - CVE-2023-27387
|
|
[Stop using the product]
The developers state that these products had been end of sale in 2014, therefore recommend users to stop using the products.
Until stop using the products, it is recommended that applying following mitigations.
- Connect the products to the trusted closed network
- Allow only trusted PCs to access the products
- Install a WAF to protect the products
Apart from the vulnerabilities, the developers released updates with improved security features for the following products.
- T&D Corporation's products
- ESPEC MIC CORP.'s products
For more details, refer to the information provided by the developers.
|
|
ESPEC MIC Corp.
T&D Corporation
|
|
- Improper Authentication(CWE-287) [IPA Evaluation]
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
|
- CVE-2023-23545
- CVE-2023-22654
- CVE-2023-27387
- CVE-2023-27388
|
|
- JVN : JVN#14778242
- National Vulnerability Database (NVD) : CVE-2023-22654
- National Vulnerability Database (NVD) : CVE-2023-23545
- National Vulnerability Database (NVD) : CVE-2023-27387
- National Vulnerability Database (NVD) : CVE-2023-27388
|
|
- [2023/05/19]
Web page was published
- [2024/05/23]
References : Contents were added
|
